Re: Database authentication

[Chris Miller]

Hi Mike, 

| The MySQL Connector/J .jar should be in GUACAMOLE_HOME/lib/, not
| GUACAMOLE_HOME/lib/mysql/.
Brilliant! That was the problem... It wasn't clear to me that I had done that 
correctly, and it is now clear that I hadn't. 

Thanks for the help, 
-- 
Chris. 

V:916.974.0424 
F:916.974.0428 

Re: Database authentication

[Mike Jumper]

On Oct 21, 2016 13:35, "Chris Miller"  wrote:
>
> Hi Folks,
>
> I'm following Chapter 6 in the manual, which is an exceptionally good
work.
>

Thanks!

> I have installed MiriaDB, created a database, "guacamole", and user
"guacamole" with a password, granted the necessary privs, and run the
scripts in mysql/schema. I've confirmed that I can run "mysql -u guacamole
-p" and that the database is populated. I can see "guacadmin". I've updated
guacamole.properties accordingly.
>
> I've added
> ${GUACAMOLE_HOME}/extensions/guacamole-auth-jdbc-mysql-0.9.9.jar
> ${GUACAMOLE_HOME}/lib/mysql/mysql-connector-java-5.1.40-bin.jar
> It is not clear to me that I have expanded both tarballs correctly and
put everything in the correct place.
>

The MySQL Connector/J .jar should be in GUACAMOLE_HOME/lib/, not
GUACAMOLE_HOME/lib/mysql/.

>
> In short, I believe I've followed Chapter 6 assiduously, but the
guacamole logon page is now blank. If I comment out the entries in
guacamole.properties, the I am back up and running with user-mapping.xml,
but that simply confirms that guacamole.properties is correctly positioned
and formatted.
>

Any errors from Guacamole in the Tomcat logs? Those logs would be the first
place to check for an explanation of the problem. The relevant messages
would have been logged during startup, or possibly whenever you attempt to
visit Guacamole with a browser.

- Mike

Windows server

[Chris Miller]

Hi Folks, 

I have guacamole 0.9.9 up and running on Centos 7. My desktops connect with RDP 
effortlessly, but my domain controllers running Windows Server 2008r2 and 
Windows Server 2012r2 will not accept connections. After I log in and get my 
page of configured connections, and I select one of the Domain Controllers, I 
get a message, "The remote desktop server encountered an error and has closed 
the connection. Please try again or contact your system administrator." 

I find no traces in the event log, so I'm flying blind here. Can anybody 
suggest where to look for clues about the discontent of my Windows Server 
boxes? 
-- 
Chris. 

V:916.974.0424 
F:916.974.0428 

RE: Scripted Branding

[Chris Cook]

Anything?

From: Chris Cook [mailto:coo...@jlsautomation.com]
Sent: Monday, October 17, 2016 9:24 PM
To: user@guacamole.incubator.apache.org
Subject: RE: Scripted Branding

Sorry about the brevity of my earlier response; my better-half and I were 
entertaining a new client - one who is very keen on implementing and 
experimenting with a Guac based tablet/mobile HMI infrastructure within his 
factory...

The logos and the favicons, should both be fixed assets somewhere and should be 
fairly easy to copy over via script within a BASH environment, following the 
platform installation/build-out; something like the following should do the 
trick:

Logo Copyover:
 cp /media/installationID/logo.png 
/guacamole_fixed-asset_directory/logo_whatever.png

Favicon Copyover:
 cp /media/installationID/favicon.png 
/guacamole_fixed-asset_directory/favicon_whatever.png

The issue with this scripting methodology is knowing where the fixed assets are 
located within the default file structure...  If you could provide some 
illumination as to the path of these static assets, that would be awesome.

Changing the webapp display name and the browser tab display names will be a 
little more complicated as they are both supposedly generated by a .css file 
somewhere.  If this .css file is a static asset, where is it located?  If this 
.css file is dynamically generated, what generates it and how can I edit it to 
accept a one-time user entry to establish an application name?

To be clear, the project I am working on is based upon a fixed/static and 
non-updating, configuration-fixed, and revision-controlled appliance build 
model - i.e. my company builds and installs the appliance within a system which 
will then be revision-fixed.  If requested/required, I or another engineer 
would update the core platform, fault test the new core platform, press a new 
distribution image, and then update/upgrade the production system as 
specifically requested/contracted.

As such, I am not concerned about an end-client initiated update/upgrade event 
as my end-client user will not have the ability to independently perform such 
an operation without the involvement of either myself or one the engineers that 
works with/for me.

From: Chris Cook [coo...@jlsautomation.com]
Sent: Monday, October 17, 2016 7:14 PM
To: 
user@guacamole.incubator.apache.org
Subject: Re: Scripted Branding
Mike,

Thanks for your response.  If I am understanding you correctly, I can use a 
BASH script that includes functions like CAT or an ECHO pipe to write out an 
installation specific .jar to the guacamole-home folder?

Sent from my iPhone

On Oct 17, 2016, at 18:56, Mike Jumper 
> wrote:
On Mon, Oct 10, 2016 at 10:12 AM, Chris Cook 
> wrote:
Greetings,

I am currently reviewing Guacamole for inclusion in an IIoT platform for 
industrial equipment - to allow for operator interface access via webpage.

Both I and my team LOVE the default Guac 0.9.9 webapp!

Thanks!

However, we have one hurtle that we need some help overcoming...  We are 
estimating approx. 100 uniquely branded deployments every year.  As such, 
generating a deployment specific branding extension for each and every 
deployment would become rather cumbersome very quickly.

Branding extensions are the intended way to achieve this. The idea was that by 
encapsulating such changes within an extension, branding changes could remain 
stable across upgrades, thus making things more convenient and doing away with 
the need to patch the webapp itself.

Is there a way to change the application name, the logo, and the favicon of the 
default web-client without having to generate and deploy a new .war archive?

There's no need to deploy a whole new .war each time (though, since you 
mentioned branding extensions earlier, perhaps you meant .jar).

It should be possible to script the generation of a branding extension if the 
specifics are predictable (logo, icon, changes to the strings). Have you given 
writing such a script a shot?

- Mike

THIS E-MAIL MESSAGE AND ANY ATTACHMENTS ARE INTENDED FOR THE USE OF THE 
INDIVIDUAL OR ENTITY TO WHICH IT IS ADDRESSED AND MAY CONTAIN INFORMATION THAT 
IS PRIVILEGED, CONFIDENTIAL AND EXEMPT FROM DISCLOSURE UNDER APPLICABLE LAW. If 
the reader of this message is not the intended recipient or the employee or 
agent responsible for delivering the message to the intended recipient, you are 
hereby notified any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to this message or by 
sending an e-mail to i...@jlsautomation.com and 
destroy all copies of this message and any attachments. Thank you.
THIS E-MAIL MESSAGE AND ANY ATTACHMENTS 

Re: Console ID Cache issue when using user-mapping.xml

[Mike Jumper]

On Fri, Oct 21, 2016 at 2:56 AM, Rishi <2rushike...@gmail.com> wrote:

> Hi Mike,
>
> I did wrote a separate authentication module inspired from noauth however
> the problem still persists.
> It is the cookie that connects to original console and not new one. If I
> remove cookie and try for new console, it works fine.
>
>
Authentication/session state is tied to the authentication token, which is
stored in memory and, yes, within a cookie by JavaScript. The cookie is not
used in the traditional sense, and is ignored by the server. The part of
HTTP requests which the web application uses to tie a request to a session
is the "token" parameter.

Any ideas how can I force flush cookie and let it go through authentication
> module ?
>
>
First, to clarify, I think it's important to avoid fixating on the cookie.
While it is part of the issue you're encountering, it is not actually the
cause. Both the built-in extension which uses user-mapping.xml and the
NoAuth extension cache the connections available to a user, so if you're
basing your authentication extension on NoAuth, there is a good chance you
inherited that behavior. The caching is internal to
SimpleAuthenticationProvider.

If you implement AuthenticationProvider directly, rather than using the
SimpleAuthenticationProvider class, the level of caching (if any) can be
dictated by your implementation.

Beyond that, if you find yourself fighting the authentication/extension
subsystem, you might want to look into integrating the core of Guacamole
rather than the entire web application. The authentication system is
specific to the web application we wrote around our own APIs, and those
APIs are intentionally kept independent. If you integrate the remote
desktop functionality of Guacamole using those APIs, then you can dictate
how connections are established entirely yourself:

http://guacamole.incubator.apache.org/doc/gug/writing-you-own-guacamole-app.html

- Mike

Re: Console ID Cache issue when using user-mapping.xml

[Rishi]

Hi Mike,

I did wrote a separate authentication module inspired from noauth however
the problem still persists.
It is the cookie that connects to original console and not new one. If I
remove cookie and try for new console, it works fine.

Any ideas how can I force flush cookie and let it go through authentication
module ?

Regards,
Rishi


On Tue, Oct 18, 2016 at 1:55 PM, Rishi <2rushike...@gmail.com> wrote:

> Thanks Mike for detailed information and saving hours in pursuing wrong
> path.
>
> I'd definitely look into custom auth and build something for us.
> I'm simply looking for a web callback as authentication mechanism. Let me
> know if its already present while I proceed to develop one. And in case I'm
> getting it working, can I contribute it back ?
>
> - Rishi
>
> On Tue, Oct 18, 2016 at 3:54 AM, Mike Jumper 
> wrote:
>
>> On Tue, Oct 11, 2016 at 3:41 AM, Rishi <2rushike...@gmail.com> wrote:
>>
>>> Hello All,
>>>
>>>
>> Hello Rishi,
>>
>>
>>> I'm using guacamole in an automated fashion such that after completing
>>> the external authentication, a new user-mapping.xml is generated.
>>>
>>
>> The intended mechanism for integrating Guacamole with external
>> authentication is not through auto-generating XML, but rather through
>> extensions:
>>
>> http://guacamole.incubator.apache.org/doc/gug/guacamole-ext.html
>>
>> http://guacamole.incubator.apache.org/doc/gug/custom-auth.html
>>
>> More on this below.
>>
>> The guacamole authentication in this case works correct however websocket
>>> connection for console happens to the last consoled vm. It is not able to
>>> properly disconnect last websocket session upon generation of new
>>> user-mapping.xml. I suspect its the cookies !
>>>
>>>
>> Guacamole doesn't use cookies in this way, but the authentication
>> mechanism that uses user-mapping.xml will cache the connections available
>> to a particular user once they log in, associating that information with
>> their session from that point forward. They will not see the results of
>> changes to that file until after they log out (or until they log in
>> elsewhere).
>>
>> If a new browser is used then the problem does not seem to appear.
>>>
>>
>> Yep. See above.
>>
>>
>>> So, would like to know how can I force flush cookies (if thats the
>>> problem) whenever guacamole UI is reloaded ?
>>>
>>
>> I don't think you should continue pursuing a solution driven by
>> user-mapping.xml. That authentication method is intentionally simple, and
>> not intended to serve as the middle ground between Guacamole and an
>> external authentication system. It's really aimed at simple deployments, or
>> as a quick way to verify that Guacamole works as expected before moving on
>> to something like LDAP or a database.
>>
>> In your case, where the idea is to integrate Guacamole with an external
>> system, I highly recommend developing an extension which does so. Guacamole
>> provides an API to achieve exactly this, and it's how the other
>> authentication extensions were written. There's no need to hack things
>> together using XML as an intermediary.
>>
>> - Mike
>>
>>
>

RE: Guacamole 0.9.9 VNC disconnect immediatly : segfault

[Jérémy Thévenin]

Hi,

Just Upgraded to 0.9.10 client and server…. And now.. it is working !

Best regards

De : Jérémy Thévenin
Envoyé : mardi 18 octobre 2016 16:29
À : user@guacamole.incubator.apache.org
Objet : RE: Guacamole 0.9.9 VNC disconnect immediatly : segfault

Hi Mike,

With Guacamole-server from git no segfault but disconnect immediatly again :


Oct 18 16:19:14 myserver guacd[1221]: Creating new client for protocol "vnc"
Oct 18 16:19:14 myserver guacd[1221]: Connection ID is 
"$15723cca-0800-466d-ad6d-3533088bcd52"
Oct 18 16:19:14 myserver guacd[1499]: Cursor rendering: local
Oct 18 16:19:14 myserver guacd[1499]: User 
"@f9cd8100-752c-49f9-8530-9977008c2e9b" joined connection 
"$15723cca-0800-466d-ad6d-3533088bcd52" (1 users now present)
Oct 18 16:19:14 myserver guacd[1499]: VNC server supports protocol version 3.8 
(viewer 3.8)
Oct 18 16:19:14 myserver guacd[1499]: We have 2 security types to read
Oct 18 16:19:14 myserver guacd[1499]: 0) Received security type 2
Oct 18 16:19:14 myserver guacd[1499]: Selecting security type 2 (0/2 in the 
list)
Oct 18 16:19:14 myserver guacd[1499]: 1) Received security type 16
Oct 18 16:19:14 myserver guacd[1499]: Selected Security Scheme 2
Oct 18 16:19:14 myserver guacd[1499]: VNC authentication succeeded
Oct 18 16:19:14 myserver guacd[1499]: Desktop name "abc6xx"
Oct 18 16:19:14 myserver guacd[1499]: Connected to VNC server, using protocol 
version 3.8
Oct 18 16:19:14 myserver guacd[1499]: VNC server default format:
Oct 18 16:19:14 myserver guacd[1499]:   32 bits per pixel.
Oct 18 16:19:14 myserver guacd[1499]:   Least significant byte first in each 
pixel.
Oct 18 16:19:14 myserver guacd[1499]:   TRUE colour: max red 255 green 255 blue 
255, shift red 16 green 8 blue 0
Oct 18 16:19:14 myserver guacd[1499]: Got new framebuffer size: 1920x1080
Oct 18 16:19:14 myserver guacd[1499]: User 
"@f9cd8100-752c-49f9-8530-9977008c2e9b" disconnected (0 users remain)
Oct 18 16:19:14 myserver guacd[1499]: Last user of connection 
"$15723cca-0800-466d-ad6d-3533088bcd52" disconnected
Oct 18 16:19:14 myserver guacd[1499]: Internal VNC client disconnected

De : Mike Jumper [mailto:mike.jum...@guac-dev.org]
Envoyé : mardi 18 octobre 2016 01:26
À : 
user@guacamole.incubator.apache.org
Objet : Re: Guacamole 0.9.9 VNC disconnect immediatly : segfault

On Fri, Oct 14, 2016 at 7:45 AM, Jérémy Thévenin 
> wrote:
Hi,

I am not able to use VNC connection with Guacamole 0.9.9. I tested multiple 
Install on VM Centos and Ubuntu without success.
(My last install is on a Ubuntun 16.04 with this script : 
http://chasewright.com/guacamole-with-mysql-on-ubuntu/)
VNC servers are TightVNC or UltaVNC.

Anyway, VNC disconnect immediatly, issue is always a segfault, check out my 
syslog :


Protocol "vnc" selected
Oct 14 15:26:09 myserver guacd[9572]: Connection ID is 
"$de03be85-61cf-426d-be73-81230b8a2cc5"
Oct 14 15:26:09 myserver guacd[9572]: VNC server supports protocol version 3.8 
(viewer 3.8)
Oct 14 15:26:09 myserver guacd[9572]: We have 2 security types to read
Oct 14 15:26:09 myserver guacd[9572]: 0) Received security type 2
Oct 14 15:26:09 myserver guacd[9572]: Selecting security type 2 (0/2 in the 
list)
Oct 14 15:26:09 myserver guacd[9572]: 1) Received security type 16
Oct 14 15:26:09 myserver guacd[9572]: Selected Security Scheme 2
Oct 14 15:26:09 myserver guacd[9572]: VNC authentication succeeded
Oct 14 15:26:09 myserver guacd[9572]: Desktop name "wks001"
Oct 14 15:26:09 myserver guacd[9572]: Connected to VNC server, using protocol 
version 3.8
Oct 14 15:26:09 myserver guacd[9572]: VNC server default format:
Oct 14 15:26:09 myserver guacd[9572]:   32 bits per pixel.
Oct 14 15:26:09 myserver guacd[9572]:   Least significant byte first in each 
pixel.
Oct 14 15:26:09 myserver guacd[9572]:   TRUE colour: max red 255 green 255 blue 
255, shift red 16 green 8 blue 0
Oct 14 15:26:09 myserver guacd[9572]: Starting client
Oct 14 15:26:09 myserver guacd[9572]: Got new framebuffer size: 1920x1080
Oct 14 15:26:10 myserver guacd[9572]: Client disconnected
Oct 14 15:26:10 myserver kernel: [ 3848.748953] guacd[9572]: segfault at 78 ip 
7f77ae1f7309 sp 7ffd6061ec00 error 4 in 
libguac-client-vnc.so.0.0.0[7f77ae1ec000+f000]

If anyone can help me .. I wish really push Guacamole in my enterprise …

Hi Jérémy,

Can you confirm whether this segfault still occurs with a copy of 
guacamole-server built from recent git?

https://github.com/apache/incubator-guacamole-server

Thanks,

- Mike